[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
TLS/SSL error when authenticating
I'm trying to complete the LDAP setup to use TLS/SSL, its already
working without this feature but i need it to run with TLS/SSL. but it
isnt working., you can see the debuggers output below to see the exact
error that occurs:
my slapd.conf file is this
##############################
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
TLSCertificateFile /etc/openldap/cert/servercert.pem
TLSCertificateKeyFile /etc/openldap/cert/serverkey.pem
TLSCACertificateFile /etc/openldap/cert/cacert.pem
# Allow LDAPv2 client connections. This is NOT the default.
allow bind_v2
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /var/run/slapd.pid
argsfile /var/run/slapd.args
#######################################################################
# ldbm and/or bdb database definitions
#######################################################################
database bdb
suffix "dc=ldaptest,dc=batelco,dc=jo"
rootdn "cn=Manager,dc=ldaptest,dc=batelco,dc=jo"
# Cleartext passwords, especially for the rootdn, should
# be avoided. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
# rootpw secret
rootpw {SSHA}6knlCh6UiA1U2EH9zgVCYddyT5wp/e7I
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /var/lib/ldap
# Indices to maintain for this database
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
# Replicas of this database
#replogfile /var/lib/ldap/openldap-master-replog
#replica host=ldap-1.example.com:389 starttls=critical
# bindmethod=sasl saslmech=GSSAPI
# authcId=host/ldap-master.example.com@EXAMPLE.COM
##########################################################################
my /etc/openldap/ldap.conf file is this:
#######################################
HOST 127.0.0.1
BASE dc=ldaptest,dc=batelco,dc=jo
TLS_CACERT /etc/openldap/cert/cacert.pem
#######################################
my clients "another linux machine" ldap.conf file is this:
######################################
pam_password md5
port 636
host ldaptest.batelco.jo
base dc=ldaptest,dc=batelco,dc=jo
ssl on
TLS_CACERT /misc/cacert.pem
######################################
i'm running slapd on both port 389 and 636 using the command <slapd -d79
-u ldap -h "ldap:/// ldaps:///", what i get from the debugger is the
following:
##################################################
tls_read: want=5, got=5
0000: 15 03 01 00 02 .....
tls_read: want=2, got=2
0000: 02 30 .0
TLS trace: SSL3 alert read:fatal:unknown CA
TLS trace: SSL_accept:failed in SSLv3 read client certificate A
TLS: can't accept.
TLS: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
s3_pkt.c:1052
connection_read(16): TLS accept error error=-1 id=8, closing
connection_closing: readying conn=8 sd=16 for close
connection_close: conn=8 sd=16
daemon: removing 16
####################################################
the su command for a user in the ldap returns the follwoing:
>>[root@waka ~]# su test
>>su: incorrect password
>>[root@waka ~]#
the result incorrect password is given without entering a password.
i generated a CA using the openssl tools, my servers FQDN is
"ldaptest.batelco.jo" and the suffix of the ldap slapd.conf is also
"ldaptest.batelco.jo" so i generated the keys using that FQDN, i also
follwoed the steps outlined in the openldap document
"http://www.openldap.org/pub/ksoper/OpenLDAP_TLS_howto.html#4.0"; and
other FAQ's and HOW-TOs, acn anyone please elp me, i'm at the end of my
rope.